Fresh Thoughts #95: Secure Access for Microsoft 365 & Google Workspace
- Newsletter
Last week - I discussed the need to secure access to modern business infrastructures using two fundamental questions:
- Who has access to the data?
- From where?
These questions led to three competing priorities at the core of secure access.
- Identity
- Context-based access decisions
- Device management
But can we ever have all three - from a single platform?
Or is it like the old business trope:
Good. Fast. Cheap.
Choose 2.
Well - it depends on where you're starting.
Microsoft
If you work with Microsoft 365, the answer is simple.
Pay for the Microsoft A3/E3 or Business Premium license, and you will have all the features you need for secure access.
- Entra ID (formerly Azure AD) - for identity management.
- Conditional Access - for context-based access decisions.
- Intune - for device management.
All are integrated and work well together.
It is tempting to try to save money and use a cheaper license, but as we'll see from the Google Workspace situation - you may end up paying more in the long run.
If you use Google Workspace, the answer is more of an adventure, and a patchwork of solutions will be needed. Make the wrong choice, and the patchwork of invoices starts growing.
A paper review of Google Workspace will find that all three requirements are satisfied out of the box.
- Identity - Google Workspace Directory is a core part of the platform.
- Context-based access decisions - via Context-Aware Access.
- Device Management - via either basic or advanced mobile management.
But the devil is in the detail - and Google's weakness starts with device management.
Superficially - Google's device management ensures that unknown or untrusted devices cannot access Google Workspace data. And if you only use Google's ChromeOS, a comprehensive set of configuration controls is available.
But as soon as your team starts using Windows or Apple devices - the configuration features become non-existent.
The list of poorly supported features or straightforward gaps is significant. For example, you can't:
- Push business apps to Windows and Apple laptops
- Provide staff with just-in-time privileges to add a printer
- Harden a laptop's configuration
- Store the encryption keys for a laptop's disk encryption in an escrow service
The list goes on...
Solving Device Management
The lack of these features pushes IT teams to buy separate device management tools - and this is where the danger lies. The more solutions needed - beyond simply using Google Workspace - the less compelling the Google Workspace value proposition is.
At a high level, there are 2 options available.
Option 1: Maximise the use of Google Workspace features.
Google Workspace can work with 3rd party device managers via their BeyondCorp Alliance integrations. Unfortunately, there are a limited number of partners to choose from.
If you're in an Apple-only environment, the answer will be Jamf Pro. But suppose you need Windows, Mac, iOS and Android support. In that case, you can choose Ivanti Neurons (formerly MobileIron) or VMware Workstation One.
In this approach, the device managers deploy, configure and monitor the compliance of devices to your security policies. Once the compliance is assessed - they report the compliance status to Google Workspace - so Context-Aware Access can decide.
Option 2: Customise your solution
If you prefer a different device manager, there's an alternative path.
Use a 3rd-party identity and context-based decision engine - like Okta. As long as Okta's compliance app is installed on the laptop, tablet, or phone, you can use any device manager you prefer.
However - in this option - Google Workspace is entirely bypassed for Secure Access. This means its value rests entirely on other features - Gmail, Google Drive, Google Docs, etc.
Final Thoughts
And so - controlling who has access to your data and from where - is possible for both Microsoft and Google environments.
But for Google, you must buy a patchwork of additional technologies.
December 5, 20233 Minutes Read
